SFR cannot connect to FMC

Steven Williams · ‎11-23-2018

Are there any logs I can look at to see why my SFR isnt connecting to the FMC when I try to add new device? I can ping both ways from sfr to FMC, packet tracer says port 8305 is good, but no telnet option on SFR so cant really open port to FMC. So in that case I am looking for logs to see the issue.

vagner.araujo · ‎11-23-2018

Hi,

Is it a new installation or you had already configured before?

. New installation ( it was my scenario )
I had some problems with Firepower 4100 not being registered and I needed to format OS and after that it was finally added to FMC. The Firepower had old configurations with and old manager that even using configure manager del and then configure manager add <IP> <Password> was not possible to configure to new manager. There's also a trick to erase configuration:

configure firewall transparent

configure firewall routed

This trick would erase the configuration, but didn't work for me since a local manager was configured before FMC so I needed to format SFR.

. It's in the production

Depending your urgency you'll need to open a high ticket with Cisco TAC.

For some friends that lost management for around 50 SFR in the same time they opened a TAC and a patch was needed for the FMC.

First try to figure out where is the problem, do you have more firewalls working fine? probably its in a

specific SFR.

There's a topic talking about it:

https://community.cisco.com/t5/firepower/error-adding-device-in-firesight/td-p/2950738
You can use some commands like admin@firepower:~$ sudo pmtool status |grep sftunnel

The SFtunnel it's the tunnel between your SFR and FMC.

I hope it guide you in some way.

. It's working for many and a new firewall its not working?
Check if theres a firewall between the coomunication blocking the SFTunnel on port 8305 .

Abheesh Kumar · ‎11-23-2018

Hi,
Is your sensor and FMC in different subnet...?
If both are in different subnet is there any firewall in between these subnets..?
If firewall is there then check 8305 is allowed in that firewall.
Try to delete configure manager and add again and then try to register again

HTH
Abheesh

Steven Williams · ‎11-24-2018

Sensor and SFR are different subnets across the WAN. Splunk doesn't detect any denies and the traffic is getting there. Also sees it on 8305 and looks good. I have deleted the manager many times with no change. Is there anything I need to do with bypassing any of this traffic from the sfr?

Steven Williams · ‎11-24-2018

I have removed the manager and re-added with key. I know the key is right. and this is the error from the FMC.

Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_peers [INFO] Peer 10.81.90.202 needs a single connection
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Connect to 10.81.90.202 on port 8305 - eth0
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.81.90.202 (via eth0)
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.81.90.202:8305/tcp
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.81.90.202
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Connected to 10.81.90.202:8305 (IPv4)
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.81.90.202'
Nov 24 15:48:23 BNAPINF010 SF-IMS[20228]: [28071] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.81.90.202'

So is there some other process that needs to be done for this?

Marvin Rhoads · ‎11-24-2018

Check sftunnel.conf at both ends - it's located in etc/sf. The hashed key value is in there so you can compare the values between your device and FMC. If they don't match you can rename sftunnel.conf to sftunnel.conf.OLD and the device (FMC or sensor) will recreate it when you re-register your manager.

The other thing I can think of is have you changed the SSL certificate on your FMC from the self-signed one?

Steven Williams · ‎11-24-2018

Well it says connection via SSL is successful so would that be the same or different?

Steven Williams · ‎11-24-2018

Would it matter that the FQDN for the SFR has a different suffix than the FMC?

Marvin Rhoads · ‎11-24-2018

I'm asking because of:

 VerifyConnect:Failed to authenticate or to be authenticated by peer '10.81.90.202'

If an external certificate was added without the correct EKU (Enhanced Key Usage), that could cause this error. The certificates at both ends must have both Client Authentication and Server Authentication EKU set as the authentication is two-way (vs. the more common one-way which would be a standard server certificate template).

Steven Williams · ‎11-24-2018

I assume the FMC has self signed cert since when I navigate to its URL I get a security warning. So how do you go about fixing this issue then?

Marvin Rhoads · ‎11-26-2018

Examine the certificate on both ends. The sftunnel.conf file tells you where the local certificate is stored. Copy that certificate .pem file text into a .cer file. You can then look at it and confirm the EKU for both ends.

Steven Williams · ‎11-26-2018

How do you get/see the certificate on the SFR?